You are on page 1of 13

HOME

COMPTIA

WINDOW

LINUX

CISCO

TIPS AND TRICKS

CAREERS
Search...

You are here: Home // Cisco // CCNA Study Guide 640 - 802 // Network Security access lists standards and extended // How to configure extended access list on
router

How to configure extended access list on router

Cisco Security Free Trial

Cisco ASA Router


Cisco CCNA
Router Firewall

cisco.com
Free Trial - Protect Your Business Network w/ Cisco Security Solutions
In this article we will configure Extended access list. If you want to read the feature and characteristic of access list reads this
previous article.
In this article we will use a RIP running topology. Which we created in RIP routing practical.

Easily create high-quality PDFs from your web pages - get a business license!

Cisco Networking
Computer Router
Computer Network

Download this RIP routing topology and open it in packet tracer


Rip Routing

Three basic steps to configure Extended Access List


Use the access-list global configuration command to create an entry in a Extended ACL.
Use the interface configuration command to select an interface to which to apply the ACL.
Use the ip access-group interface configuration command to activate the existing ACL on an interface.
An extended ACL gives you much more power than just a standard ACL. Extended IP ACLs check both the source and destination
packet addresses. They can also check for specific protocols, port numbers, and other parameters, which allow administrators more
flexibility and control.

access-list access-list-number {permit | deny} protocol source source-wildcard


[operator port]
destination destination-wildcard [operator port] [established] [log]

CA - Cloud Based Services


ca.com/IM
Cloud Based Service Delivery Drives Improved Performance. Download Now.
Command
Descriptions
Parameters
access-list

Main command

access-listnumber
permit
deny

Identifies the list using a number in the ranges of 100199 or 2000 2699.

Indicates whether this entry allows or blocks the specified address.

Easily create high-quality PDFs from your web pages - get a business license!

protocol
source and
destination
sourcewildcard
and
destinationwildcard

IP, TCP, UDP, ICMP, GRE, or IGRP.

Identifies source and destination IP addresses.

The operator can be lt (less than), gt (greater than), eq (equal to), or neq (not equal to). The port number
referenced can be either the source port or the destination port, depending on where in the ACL the port number is
configured. As an alternative to the port number, well-known application names can be used, such as Telnet,
FTP, and SMTP.

For inbound TCP only. Allows TCP traffic to pass if the packet is a response to an outbound-initiated session.
established

This type of traffic has the acknowledgement (ACK) bits set. (See the Extended ACL with the Established
Parameter example.)

log

Sends a logging message to the console.

Before we configure Extended Access list you should cram up some important port number

Well-Known Port Numbers and IP Protocols


Port Number

IP Protocol

20 (TCP)

FTP data

21 (TCP)

FTP control

23 (TCP)

Telnet

25 (TCP)

Simple Mail Transfer Protocol (SMTP)

53 (TCP/UDP)

Domain Name System (DNS)

69 (UDP)

TFTP

80 (TCP)

HTTP

Easily create high-quality PDFs from your web pages - get a business license!

With Access Lists you will have a variety of uses for the wild card masks, but typically For CCNA exam prospective you should be
able to do following:
Block host to host
Block host to network
Block Network to network
Block telnet access for critical resources of company
Limited ftp access for user
Stop exploring of private network form ping
Limited web access
Configure established keyword

Block host to host


Task
You are the network administrator at ComputerNetworkingNotes.com. Your company hire a new employee and give him a pc
10.0.0.3. your company's critical record remain in 40.0.0.3. so you are asked to block the access of 40.0.0.3 from 10.0.0.3. while
10.0.0.3 must be able connect with other computers of network to perfom his task.
Decide where to apply ACL and in which directions.
As we are configuring Extended access list. With extended access list we can filter the packed as soon as it genrate. So we will
place our access list on F0/0 of Router1841 the nearest port of 10.0.0.3
To configure Router1841 (Hostname R1) double click on it and select CLI

R1>enable
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#access-list 101 deny ip host 10.0.0.3 40.0.0.3 0.0.0.0
R1(config)#access-list 101 permit ip any any
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip access-group 101 in
R1(config-if)#exit
R1(config)#
Verify by doing ping from 10.0.0.3 to 40.0.0.3. It should be reqest time out. Also ping other computers of network including 40.0.0.2.
Easily create high-quality PDFs from your web pages - get a business license!

ping shuld be sucessfully.

Block host to network


Task
Now we will block the 10.0.0.3 from gaining access on the network 40.0.0.0. ( if you are doing this practical after configuring
pervious example don't forget to remove the last access list 101. With no access-list command. Or just close the packet tracer
without saving and reopen it to be continue with this example.)

R1(config)#access-list 102 deny ip host 10.0.0.3 40.0.0.0 0.255.255.255


R1(config)#access-list 102 permit ip any any
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip access-group 102 in
R1(config-if)#exit
R1(config)#
Verify by doing ping from 10.0.0.3 to 40.0.0.3. and 40.0.0.2.It should be reqest time out. Also ping computers of other network. ping
shuld be sucessfully.
Once you have calculated the wild card mask rest is same as we did in pervious example

R2>enable
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 2 deny 10.0.0.0 0.255.255.255
R2(config)#access-list 2 permit any
R2(config)#interface fastethernet 0/1
R2(config-if)#ip access-group 2 out
R2(config-if)#
To test first do ping from 10.0.0.3 to 40.0.0.3 it should be request time out as this packet will filter by ACL. Then ping 30.0.0.3 it
should be successfully replay.

Network to Network Access List


Task
Students lab is configured on the network of 10.0.0.0. While management's system remain in the network of 40.0.0.0. You are
asked to stop the lab system from gaining access in management systems
Easily create high-quality PDFs from your web pages - get a business license!

Now we will block the network of 10.0.0.0 from gaining access on the network 40.0.0.0. ( if you are doing this practical after
configuring pervious example don't forget to remove the last access list 101. With no access-list command. Or just close the packet
tracer without saving and reopen it to be continue with this example.)

R1(config)#access-list 103 deny ip 10.0.0.0 0.255.255.255 40.0.0.0 0.255.255.255


R1(config)#access-list 103 permit ip any any
R1(config)#interface fastethernet 0/0
R1(config-if)#ip access-group 103 in
R1(config-if)#exit
R1(config)#
Verify by doing ping from 10.0.0.3 and 10.0.0.2 to 40.0.0.3. and 40.0.0.2.It should be reqest time out. Also ping computers of other
network. ping shuld be sucessfully.

Network to host
Task
For the final scenario you will block all traffic to 40.0.0.3 from the Network of 10.0.0.0 To accomplish this write an extended access
list. The access list should look something like the following.

R1(config)#interface fastethernet 0/0


R1(config-if)#no ip access-group 103 in
R1(config-if)#exit
R1(config)#no access-list 103 deny ip 10.0.0.0 0.255.255.255 40.0.0.0 0.255.255.255
R1(config)#access-list 104 deny ip 10.0.0.0 0.255.255.255 40.0.0.3 0.0.0.0
R1(config)#access-list 104 permit ip any any
R1(config)#interface fastethernet 0/0
R1(config-if)#ip access-group 104 in
R1(config-if)#exit
R1(config)#
Verify by doing ping from 10.0.0.3 and 10.0.0.2 to 40.0.0.3.It should be reqest time out. Also ping computers of other network. ping
shuld be sucessfully.

Application based Extended Access list


Easily create high-quality PDFs from your web pages - get a business license!

In pervoius example we filter ip base traffic. Now we will filter applicaion base traffic. To do this practical either create a topology as
shown in figure and enable telnet and http and ftp service on server or download this pre configured topology and load it in packet
tracer.
Extended Access list

The established keyword


T h e established keyword is a advanced feature that will allow traffic through only if it sees that a TCP session is already
established. A TCP session is considered established if the three-way handshake is initiated first. This keyword is added only to the
end of extended ACLs that are filtering TCP traffic.
You can use TCP established to deny all traffic into your network except for incoming traffic that was first initiated from inside your
network. This is commonly used to block all originating traffic from the Internet into a company's network except for Internet traffic
that was first initiated from users inside the company. The following configuration would accomplish this for all TCP-based traffic
coming in to interface serial 0/0/0 on the router:

R1(config)#access-list 101 permit tcp any any established


R1(config)#interface serial 0/0/0
R1(config-if)#ip access-group 101 in
R1(config-if)#exit
Although the access list is using a permit statement, all traffic is denied unless it is first established from the inside network. If the
router sees that the three-way TCP handshake is successful, it will then begin to allow traffic through.
Easily create high-quality PDFs from your web pages - get a business license!

To test this access list double click on any pc from the network 10.0.0.0 and select web brower. Now give the ip of 30.0.0.2 web
server. It should get sucessfully access the web page. Now go 30.0.0.2 and open command prompt. And do ping to 10.0.0.2 or any
pc from the network the 10.0.0.0. it will request time out.

Stop ping but can access web server


We host our web server on 30.0.0.2. But we do not want to allow external user to ping our server as it could be used as denial of
services. Create an access list that will filter all ping requests inbound on the serial 0/0/0 interface of router2.

R2(config)#access-list 102 deny icmp any any echo


R2(config)#access-list 102 permit ip any any
R2(config)#interface serial 0/0/0
R2(config-if)#ip access-group 102 in
To test this access list ping from 10.0.0.2 to 30.0.0.2 it should be request time out. Now open the web browser and access 30.0.0.2
it should be successfully retrieve

Grant FTP access to limited user


You want to grant ftp access only to 10.0.0.2. no other user need to provide ftp access on server. So you want to create a list to
prevent FTP traffic that originates from the subnet 10.0.0.0/8, going to the 30.0.0.2 server, from traveling in on Ethernet interface
E0/1 on R1.

R1(config)#access-list 103 permit tcp host 10.0.0.2 30.0.0.2 0.0.0.0 eq 20


R1(config)#access-list 103 permit tcp host 10.0.0.2 30.0.0.2 0.0.0.0 eq 21
R1(config)#access-list 103 deny tcp any any eq 20
R1(config)#access-list 103 deny tcp any any eq 21
R1(config)#access-list 103 permit ip any any
R1(config)#interface fastethernet 0/1
R1(config-if)#ip access-group 103 in
R1(config-if)#exit
Grant Telnet access to limited user
For security purpose you dont want to provide telnet access on server despite your own system. Your system is 10.0.0.4. create a
extended access list to prevent telnet traffic that originates from the subnet of 10.0.0.0 to server.

R1(config)#access-list 104 permit tcp host 10.0.0.4 30.0.0.2 0.0.0.0 eq 23


Easily create high-quality PDFs from your web pages - get a business license!

R1(config)#access-list 104 deny tcp 10.0.0.0 0.255.255.255 30.0.0.2 0.0.0.0 eq 23


R1(config)#access-list 104 permit ip any any
R1(config)#interface fast 0/1
R1(config-if)#ip access-group 104 in
R1(config-if)#exit

More Related Articles For You


Network Definitions Characteristics Components locations
Network Security Types of attacks
Network Security Mitigating Common Threats
Access Control List Standard and Extended
Network security Reconnaissance attack
How to configure standard access list on router
How to configure extended access list on router

Written by Admin
< Prev

Comments
# Zachariah nuzuga

2014-09-06 17:10

that's a very good breakdown thanks alot


Reply | Reply with quote | Quote
# snipy

2014-08-29 07:21

how configure 2 network


network A can't access network B but network B can access network A..?
Reply | Reply with quote | Quote
# bisoye

2014-08-11 23:31

nice ACL configuration breakdown..more power to your elbow.


Reply | Reply with quote | Quote
# uma@smartag

2014-06-24 04:46

Easily create high-quality PDFs from your web pages - get a business license!

thanks a lot i get it now...


Reply | Reply with quote | Quote
# phillip muyungi

2014-06-13 13:22

-I have two ISP in my network and i want 11.0.0.1/24 block to access only email via ISP-1 and 192.168.0.1/24 block can
access the internet
via ISP-2. How can i configured this on cisco router
-Anyone have an idea please help-since i need to use both ISP's on my network.
Reply | Reply with quote | Quote
# anitha

2014-04-20 06:31

Thanks a lot.very clear explanation.


Reply | Reply with quote | Quote
# vik__t

2014-04-12 17:55

thanks man you are awesome


Reply | Reply with quote | Quote
# venkat

2014-04-08 04:33

good it's very helpful for me..


Thank u..
Reply | Reply with quote | Quote
# mutungi joel

2014-03-27 07:58

Hello,
Many thanks for the content. I've learnt a lot. May God bless u
Reply | Reply with quote | Quote
# asa

2014-02-20 11:32

Thanks dude, your tutorials really work. I love you as i love packet tracer. Thanks a bunch again:))
Reply | Reply with quote | Quote
# asa

2014-02-20 11:30

Thanks dude, your tutorials really work!!!!!!!!! I love you as i love packet tracer:))
Reply | Reply with quote | Quote
# faizal

2014-02-19 11:44

very very thanks,it's very useful...


please upload lots of scenario for different topics
Reply | Reply with quote | Quote
Easily create high-quality PDFs from your web pages - get a business license!

# mmustafa

2014-01-21 12:51

very helpful thanks


Reply | Reply with quote | Quote
# GayathriKesavan

2014-01-06 10:15

Thank you so much...very nice post.


Reply | Reply with quote | Quote
# Ngarombo

2013-12-29 15:37

Thanks a lot this was very helpful however blocking a number of hosts say (10.1.50.1 through 10.1.50.63) I have got a
problem with that.
Reply | Reply with quote | Quote
# Sikkander Basha

2013-11-11 06:14

Awesome of explanation..please keep on posting..


Reply | Reply with quote | Quote
# phillip

2013-10-25 13:33

its cool and explain in such away anyone can understand


Reply | Reply with quote | Quote
# emerie

2013-10-11 21:59

The details description of every command is awesome. I really love the site and a big thank you to the developer,great work
well done.
Reply | Reply with quote | Quote
# Tanzeem Akhtar

2013-10-11 07:35

A billion thanks to you sir G.............


Reply | Reply with quote | Quote
# Brisky

2013-10-09 02:02

Totally appreciate your efforts here


Reply | Reply with quote | Quote
# Brisky

2013-10-09 02:01

Thank you, this was very helpful, detailed explanation. Well done
Reply | Reply with quote | Quote
# PRATIK Y SADHU

2013-10-08 08:32

Easily create high-quality PDFs from your web pages - get a business license!

your word to word CLI explanations of CPT and diagrams helped me a lot. a billion thanks to you. awesome site for
networking students.
Reply | Reply with quote | Quote
# vali

2013-10-04 17:05

nicee make me feel familiar with packet tracer and acl's THNX
Reply | Reply with quote | Quote
# fiston

2013-09-16 09:23

nice job nd i've truly appreciated it...


Reply | Reply with quote | Quote
# VIKASH MAHALA

2013-09-09 19:19

NICE WORK
THANKS DEAR
Reply | Reply with quote | Quote
# sumit

2013-08-17 17:49

it is easy and comforttable


Reply | Reply with quote | Quote
# Rahul Wankhade

2013-08-16 05:11

Nice very helpful...thank You


Reply | Reply with quote | Quote
# rodney

2013-08-14 15:24

very good i just tried. nice and clear explan.


Reply | Reply with quote | Quote
Refresh comments list
Add comment

FOLLOW US

Easily create high-quality PDFs from your web pages - get a business license!

CONTACT US

On Google plus

On Twitter
435

Follow

Follow

Like us on Facebook
Find us on Facebook

ComputerNetworkingNotes.com
Like
6,797 people like ComputerNetworkingNotes.com.

Write for us
We are always on the lookout for new talent and ideas. We provide you a
platform to share your ideas and knowledge with the world while developing a
name for yourself as an expert in your field. We encourage you to learn more
and submit a article!
Advertise With us
Reach millions of global audience including network administrator and system
admin. Advertising on ComputerNetworkingNotes.com will allow your company
to tap into one of the largest online communities of computer networking.
Report an issue
We greatly appreciate our visitors helping us to find issues with the site. we
will investigate your report and use the information you provide to improve our
site.

Facebook social plugin

Other reason
We love to hear from you! Regardless of the type of feedback, we are always
ready to assist you.

Copyright 2010 - 2014. ComputerNetworkingNotes.com

Easily create high-quality PDFs from your web pages - get a business license!

Advertise with us Write for us Contact Us Privacy Policy Terms and conditions

You might also like